-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFortinet Firewall
170 lines (129 loc) · 3.72 KB
/
Fortinet Firewall
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
Show status summary:
“Show/Get” sys status
Show all Interfaces:
“Show/Get” get system interface
Show list of physical interfaces and details:
get system interface physical
Show contents of flash memory with active firmware:
Dia sys flash list
NETWORKING:
STATIC:
Config sys interface
Edit “interface name”
Set mode static
Set allow ssh ping https
Set ip x.x.x.x.x|x.x.x.x.x
End
DHCP:
Config sys interface
Edit “interface name”
Set mode dhcp
Set allow ssh ping https
End Configure interface with static or dhcp.
show system dhcp/dhcp6 server Show DHCP configuration.
execute dhcp/dhcp6 lease-list “interface
name” Show all IP allocation via DHCP.
VLAN:
config system interface
edit "interface name”
set status “up/down”
next
end Configure an interface to be up or down.
config system interface
edit "VLAN name"
set vdom "root"
set ip “10.1.10.254” “255.255.255.0”
set allowaccess “ping” “https” “ssh” “http”
set type vlan
set device-identification enable
set role “lan”
set snmp-index 15
set interface "Interface Name"
set vlanid 10
next
end Configure a VLAN to an interface.
config router static
edit 1
set status enable
set dst “10.20.30.0” “255.255.255.0”
set gateway “192.168.179.2”
set distance 10
set weight 0
set priority 0
set device "wan1"
set comment ''
set blackhole disable
set dynamic-gateway disable
set link-monitor-exempt disable
set bfd disable
next
end Configure a static router.
Show routing table:
get router info routing-table all
Display the Policy Routes
diag firewall proute list
(Show full configuration display):
show full-configuration
(Get detailed routing info):
get router info routing-table detail
(Show current firewall policy):
show firewall policy
(Show firmeware and Bios versions):
get system status
(Check interface status):
get system interface physical
(Display ARP table):
get system arp
(Save Configuration/Don't Save Configuration & exit)
end/abort
FIREWALL:
(Enter firewall configuration):
config firewall policy
(Shows all firewall policies):
show
(Save and Exit)
end
config firewall policy
edit 555
set name "test"
set srcintf "vlan10"
set dstintf "port 5"
set srcadr "xxxx" "xxxx" "xxx"
set action accept
set schedule "always"
set servie "HTTP" "ICMP_ANY"
end
delete “Enter policy name”:
config firwall policy
end
BACKUP:
Backup Logs to usb:
exec log backup /usb/log.tar
To backup the configuration using the CLI:
Use one of the following commands:
execute backup config management-station <comment>
Backup to USB:
execute backup config usb <backup_filename> [<backup_password>]
Backup FTP:
execute backup config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]
Backup TFTP:
execute backup config tftp <backup_filename> <tftp_servers> <password>
Use the same commands to backup a VDOM configuration by first entering the commands:
config vdom
edit <vdom_name>
RESTORE CONFIG:
execute restore config management-station normal 0
or:
execute restore config usb <filename> [<password>]
FTP:
execute restore config ftp <backup_filename> <ftp_server> [<port>] [<user_name>] [<password>]
TFTP:
execute restore config tftp <backup_filename> <tftp_server> <password>
BACKUP Certificate:
execute vpn certificate local export tftp <cert_name> <filename> <tftp_ip>
where:
<cert_name> is the name of the server certificate.
<filename> is a name for the output file.
<tftp_ip> is the IP address assigned to the TFTP server host interface.
Restore Certificate:
execute vpn certificate local import tftp <filename> <tftp_ip>